What You Should Know: Final consent guidance from Quebec’s privacy regulator

Last week, October 31, 2023, Quebec’s privacy regulator, the Commission d'access a l'information (“the CAI”), released its final guidelines on consent under Quebec’s new privacy law, Law 25. The guidelines aim to clarify certain criteria and outline best practices for obtaining valid consent under the law.

Earlier this year, the CMA was invited by the CAI to provide feedback on a draft version of the guidelines. See our submission here.

With the majority of Law 25 now in effect and new official guidelines to digest, let’s unpack some of the key components marketers should know about, as well as some of the differences between the draft and final guidelines.

The guidelines outline the criteria required for consent to be legal and valid. These criteria require consent to be:

• Manifest
• Free
• Informed
• Specific
• Granular
• Understandable
• Temporary

Highlights of the guidelines

The guidelines break down each of the criteria and include some examples. A handful of these requirements are distinct to Quebec, and differ from what marketers were used to under the old law. For example, “granularity” under Law 25 requires consent to be requested for each purposes for which it’s sought. This means purposes can’t be bundled in your privacy policy. If a person is required to consent to several purposes simultaneously, their consent is not considered “free”.

Privacy policies and disclosures now look different under Law 25. The law requires a higher level of transparency, meaning more information must be shared with consumers upfront for consent to be valid. Organizations must provide notice of:

• The purposes for which the personal information is being collected;
• The means of collection;
• The individual’s right to access and correct it;
• The individual’s right to withdraw consent; and,
• The names of any third parties with whom the information will be shared, or for whom the information is collected on behalf of, as well as notification of the possibility that the information may be shared outside of Quebec.

The notice must be presented to consumers in clear and simple language. Additional notice is needed for any collection of personal information unrelated to the core functionality, such as for secondary uses or unexpected disclosures to third parties.

The CAI’s guidelines encourage organizations to pay particular attention to transparency on an ongoing basis. Organizations are encouraged to remind individuals about how their data is being used at appropriate intervals, and about their ability to opt out (in addition to posting this information in readily accessible ways, e.g. on a website).

Marketers should take note that the CAI has maintained its interpretation that express consent should be required when organizations collect personal information through technologies that identify, locate or profile individuals.

According to the CAI, these technologies, which include targeted advertising cookies and GPS or other location technologies, should all be deactivated by default. Additionally, detailed disclosures must be made to the intended audience, informing them at the time of collection of how the technologies will be used and how users can activate the tracking functions. 

Take, for example, a magazine website that offers personalized article recommendations based on readers’ interests, which are inferred by an AI algorithm. The use of cookies to collect personal information, in this instance, makes profiling possible. Therefore, under the CAI’s guidance, the magazine would be required to display an overlay window on the first visit to the site to provide visitors with the information required by law. It would then tell the visitor how to activate the deposit of cookies, given the guidance suggests it be deactivated by default.

Given the significant technical implications for organizations and additional consent fatigue risk for consumers that this interpretation requires, marketers are encouraged to consult with their compliance teams to ensure the best path forward for their organization.

CMA members can access an English version of the CAI’s new consent guidelines (electronically translated) here.

Comparison of the draft and final guidelines

After the CAI’s summer consultation, you may be wondering what exactly has changed between the draft and final guidelines. CMA members can access a chart highlighting the major differences between the draft and final versions here.

One favourable change found in the final guidelines will go a long way in helping to address consumer consent fatigue. The CAI’s suggestion (in the draft guidelines) that an organization should seek express consent whenever possible has been removed. This was a recommendation made by the CMA during the consultation. It is critical that organizations continue to have the operational choice of choosing to rely on implied consent for non-sensitive information and reasonably expected uses. Routinely requesting express consent when it is not needed negatively affects the customer experience, and could overwhelm and cause confusion for consumers, undermining the goal of effective privacy protection.

With the CAI guidelines now released, the CMA plans to release further practical guidance to help bring the law to life for marketers. In the meantime, marketers are encouraged to consult the CAI’s official guidance, which is being released on various topics in a staged approach, and consult actively with their compliance teams.

Have any questions you want answered? Drop us a line.

Authors:
Fiona Wilson | Director, Public Policy and Chief Privacy Officer | CMA
Marlize Van Sittert | Public Policy Specialist | CMA